diff --git a/puppet/services/tripleo-firewall.yaml b/puppet/services/tripleo-firewall.yaml index b92be457ac..b5ea0e8fba 100644 --- a/puppet/services/tripleo-firewall.yaml +++ b/puppet/services/tripleo-firewall.yaml @@ -38,6 +38,17 @@ parameters: default: false description: Whether IPtables rules should be purged before setting up the new ones. type: boolean + FirewallChains: + default: {} + description: > + Firewall chains definitions to manage. The keys of the dictionary must be + in the format "::". When specified, these rules + are merged with { 'FORWARD:filter:IPv4': { 'policy': 'accept' }, + 'FORWARD:filter:IPv6': { 'policy': 'accept' } }. The current available + features 'ensure' Adds or removes a chain (present|absent), 'policy' + Action the packet will performa at the end of the chain (accept|drop|queue|return), + and 'purge' Remove all rules for this change (true|false). + type: json outputs: role_data: @@ -47,6 +58,11 @@ outputs: config_settings: tripleo::firewall::manage_firewall: {get_param: ManageFirewall} tripleo::firewall::purge_firewall_rules: {get_param: PurgeFirewallRules} + tripleo::firewall::firewall_chains: + map_merge: + - { 'FORWARD:filter:IPv4': { 'policy': 'accept' }, + 'FORWARD:filter:IPv6': { 'policy': 'accept' } } + - {get_param: FirewallChains} step_config: | include ::tripleo::firewall upgrade_tasks: diff --git a/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml b/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml new file mode 100644 index 0000000000..bf67ff870e --- /dev/null +++ b/releasenotes/notes/firewall-chain-management-cf0b38d533646a08.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds `FirewallChains` parameter that can be used to manage the defined + firewall chains. By default the FORWARD chain configured to be present + and set to ACCEPT.